IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

In Application of : BAR et al. 

Serial No. : 10/774,169 : Group Art Unit: 2155 

Filed : February 5, 2004 : Examiner: Thuong Nguyen 

For : DETECTING AND PROTECTING AGAINST WORM TRAFFIC ON A 

NETWORK 

PRE-APPEAL BRIEF REQUEST FOR REVIEW 

L Introductory Comments 

Claims 1, 4-24, 29-35, 38-58, 63-69, 72-92 and 97-108 are pending in this application. 
Claims 1, 29, 32, 35, 63, 66, 69, 97 and 100 are independent claims. 

On April 11, 2007, Appellant appealed from a final rejection of all the claims in this 
application and filed a Pre- Appeal Brief Request for Review (PABRR). Prosecution was then 
reopened with a new Official Action dated August 6, 2007, in which all of the pending claims 
were again rejected. Appellant renewed the appeal on October 10, 2007, with a new PABRR. 
Together with the notice of appeal, Appellant filed an amendment canceling claims 25, 26, 
28, 59, 60, 62, 93, 94 and 96. 

Prosecution has now been reopened once again, with a new Official Action dated 
April 29, 2008, in which all of the pending claims were again rejected, along with some 
claims that are no longer pending. In this Official Action, claims 1, 4-1 1, 21, 22, 25, 26, 28- 
35, 38-45, 55, 56, 59, 60, 62-69, 72-79, 89, 90, 93, 94, 96-103, 105 and 107 were rejected 
under 35 U.S.C. 103(a) over Lyle (U.S. Patent 6,886,102) in view of Smithson (U.S. Patent 
6,886,099). Dependent claims 12-20, 23, 24, 46-54, 57, 58, 80-88, 91, 92, 104, 106 and 108 
were rejected under 35 U.S.C. 103(a) over Lyle in view of Smithson and further in view of 
other references. 

As a preliminary matter, Appellant notes that the rejection of claims 25, 26, 28, 59, 
60, 62, 93, 94 and 96 is moot, since these claims were previously canceled. 

Appellant respectfully submits that the cited art fails to teach, or even to suggest, 
every element of the independent claims remaining in this application. Accordingly, 
Appellant requests that the application be allowed on the existing claims. In view of the 
substantial effort already invested by the Examiner (and concomitantly by Appellant) in this 
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application, reopening prosecution once again, for a third time, will be an unjustified waste of 
time and resources of both the Patent Office and Appellant. 

//. Rejection of independent claims 1, 35 and 69 under 35 U.S.C. 103(a) over Lyle in 
view of Smithson 

These claims recite a method, apparatus and software product for processing 
communication traffic that is directed to a group of addresses on a network, based on 
monitoring traffic that is directed to a subset of the group. The subset of the group of the 
addresses that is to be monitored is identified such that the addresses in the subset are 
expected to receive smaller amounts of the communication traffic than other addresses in the 
group. The Examiner acknowledged in the Official Action (page 3, lines 11-13) that Lyle 
does not teach this claim limitation. In fact, Lyle neither teaches nor suggests any criterion for 
selection of ports or addresses to be monitored. 

The Examiner went on to maintain that Smithson (Fig. 2; col. 4, lines 5-25; col. 5, 
lines 7-23) teaches identifying a subset of a group of addresses that are expected to receive 
smaller amounts of communication traffic. Fig. 2, however, shows no more than a 
conventional computer architecture. The passages cited by the Examiner in cols. 4 and 5 
relate to measurement parameters for detecting a virus outbreak and associated user- 
controlled threshold levels. The parameters may include numbers of various types of e-mail 
messages that are sent by the monitored computer or e-mail throughput (col. 4, lines 26-39). 
If one of these parameters is greater than the threshold, a virus outbreak signal is generated 
(col. 5, lines 15-17). 

Smithson is concerned with the numbers of e-mail messages that are transmitted by a 
single computer. He does not attempt to determine which addresses on a network receive 
greater or smaller amounts of communication traffic than others, nor does he suggest that 
such a determination might be of value in virus detection. He does not relate to choosing 
addresses to be monitored for purposes of virus detection or any other purpose. Thus, he 
certainly does not even hint at identifying or choosing to monitor certain addresses that are 
expected to receive smaller amounts of communication traffic , as recited in claims 1, 35 and 
69. 

To sum up, the Examiner has failed to point out even a hint of teaching or motivation 
in either Lyle or Smithson that would have led a person of ordinary skill in the art to choose 
any particular subset of addresses for monitoring, let alone the surprising choice of 
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identifying low-traffic addresses for this purpose, as recited in claims 1, 35 and 69. 
Therefore, independent claims 1, 35 and 69 are patentable over the cited art. 

///. Rejection of independent claims 29, 63 and 97 under 35 U.S.C. 103(a) over Lyle in 
view of Smithson 

These claims recite a method, apparatus and software product in which 
communication traffic is monitored so as to detect packets indicative of a network 
communication failure that is characteristic of a worm infection . Upon detecting an increase 
in the rate of arrival of these packets, the communication traffic is filtered so as to remove 
communication traffic that is generated by the worm infection. Applicant pointed out in 
response to a previous Official Action and in the previous PABRR in this case that Lyle 
neither teaches nor suggests applying this sort of packet detection criterion. (See Appellant's 
Response to Official Action filed December 7, 2006, pages 6-7.) 

Nevertheless, in the present Official Action (page 8, lines 11-12), the Examiner 
simply repeated her earlier assertion that Lyle teaches "detecting an increase in a rate of 
arrival of the packets that are indicative of the communication failure" in col. 10, line 60 - 
col. 11, line 1. This passage, however, relates only to detecting the "level or rate" of "certain 
types of messages" (col. 10, lines 55-59), without specifying the types of messages that are 
involved. Lyle makes no mention or suggestion of communication failures or how they 
should be handled, and does not even hint that packets indicative of such failures could be 
used in filtering worm-generated traffic as required by the present claims. 

Smithson also says nothing about packets that are indicative of a communication 
failure in the network. The passage cited by the Examiner in Smithson in relation to claim 29 
(col. 6, lines 34-43) proposes only that some or all e-mail attachments be blocked in case of a 
virus outbreak. Smithson neither teaches nor suggests detecting packets of any particular 
type, let alone detecting packets that are indicative of a communication failure that is 
characteristic of a worm infection, as recited in claims 29, 63 and 97. 

Therefore, independent claims 29, 63 and 97 are patentable over the cited art. 

IV. Rejection of independent claims 32, 66 and 100 under 35 U.S.C. 103(a) over Lyle in 
view of Smithson 

These claims recite a method, apparatus and software product in which 
communication traffic on a network is monitored so as to detect ill-formed packets. The UK 
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formed packets are used in determining that at least a portion of the traffic has been generated 
by a worm infection . Appellant pointed out in the above-mentioned response of December 7, 
2006, and in the previous PABRR that Lyle fails to relate in any way to whether packets are 
well formed or ill formed, and certainly does not suggest that detection of ill-formed packets 
might be used in determining that a worm infection has occurred. 

Yet again the Examiner has simply repeated the previous grounds of rejection. In the 
present Official Action, the Examiner stated (page 9, lines 12-14) that in col. 7, lines 9-19, 
"Lyle discloses that the method of scanning the network for the suspicious data within the 
tracking system." The cited passage, however, says only that "the sniffers search for data 
indicating an actual or suspected attack... as described more fully below." Lyle goes on to 
describe a number of ways in which the sniffers may search for such attack-related data (see, 
for example, col. 10, lines 30-59). None of these ways has anything to do with ill-formation 
of packets . 

Smithson, likewise, says nothing at all about whether packets are well formed or ill 
formed, and thus could not possibly be taken to suggest detecting or making any other use of 
ill-formed packets. 

Therefore, independent claims 32, 66 and 100 are patentable over the cited art. 

V. Rejection of the dependent claims 

In view of the patentability of all the pending independent claims, as explained above, 
the dependent claims in this application are believed to be patentable, as well. Furthermore, 
notwithstanding the patentability of the independent claims, Appellant believes that the 
dependent claims recite independently-patentable subject matter. In the interest of brevity, 
however, Appellant will defer further argument regarding the dependent claims to the Appeal 
Brief, in the event that this application proceeds to appeal. 
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VI. Conclusion 

In view of the above remarks, Appellant respectfully submits that all of 
the claims in the present application are in order for allowance. Notice to this effect is 
hereby requested. 



Abelman, Frayne & Schwab 
666 Third Avenue, 10th Floor 
New York, NY 10017-5621 
212-885-93863 
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